search

oroinc / platform

Main OroPlatform package with core functionality.
Other
627 stars 351 forks source link

Package guzzlehttp/guzzle 7.4.4 suffers vulnerabilities CVE-2022-31090 and CVE-2022-31091. #1084

Closed ndeg closed 1 year ago

ndeg commented 2 years ago

Summary
The 5.0 branch of oro/platform is installed with the v7.4.4 of package guzzlehttp/guzzle.

Or this version is affected by vulnerabilities CVE-2022-31090 and CVE-2022-31091.

It is recommanded to upgrade to v7.4.5

Steps to reproduce

First, install local-php-security-checker (see https://github.com/fabpot/local-php-security-checker)

git clone git@github.com:oroinc/platform.git
composer install
local-php-security-checker

Actual Result

Symfony Security Check Report
=============================

1 package has known vulnerabilities.

guzzlehttp/guzzle (7.4.4)
-------------------------

 * [CVE-2022-31090][]: CURLOPT_HTTPAUTH option not cleared on change of origin
 * [CVE-2022-31091][]: Change in port should be considered a change in origin

[CVE-2022-31090]: https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
[CVE-2022-31091]: https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Expected Result 


Symfony Security Check Report
=============================

No packages have known vulnerabilities.

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

Details about your environment

Additional information
I tested that these lines in composer.json should be updated :

        "guzzlehttp/guzzle": ">=7.4.5 <7.5.0",
        "guzzlehttp/psr7": "~1.9.0",

Disclaimer : I did not run unit tests, nor functionnal tests.

anyt commented 2 years ago

Thank you for the report. The next patch release will include the fix. The internal ticket id is BAP-21447.

anyt commented 1 year ago

Fixed in v5.0.4 and v4.2.13.